It's sad that we seem to be able to make the right decisions from time to time but at the same time we are actually making the wrong decisions most of the time. Here's to hoping things will eventually get better, I shudder to think of the kind of catastrophe that would swing the pendulum back the other way and turn the tide.
I would go as far as saying that collection of fingerprints and DNA profiles should be expanded. I have enough trust in Dutch democracy to change it back again if it turns out not to improve security after all. (As someone who has lived in other countries, I would not say the same of any democracy).
What if one day, it becomes illegal to be gay? Or have sex with someone out of wedlock?
Then all this data could be used against someone.
While everybody knows that their mobile phone can be/is tracked as it moves between cell towers, it's far less obvious than an explicit vote for or against some kind of invasion of privacy.
In which case, raising awareness so that people can actively override the decisions being made for them seems like a good place to start.
Are there other governments that have spoken out in support of encryption like this? I'm sure there must be, but (casually following the news) I haven't seen any.
The original proposal was to give 500k euro to OpenSSL but what actually was approved was to spread that out amongst OpenSSL, PolarSSL (which, I think, comes from .nl), and LibreSSL, in a manner that was not yet determined.
Personally, I'd prefer to see the majority of it go to the guys working on LibreSSL simply because I think it would have the most impact there. I somewhat expect most of it go to OpenSSL, however, if for no other reason than it being the most widely used of the three.
Yup, I posted the result on HN but nobody cared at that point. I guess it wasn't quite concrete enough because the money would go to "undetermined open source projects that have to do with encryption, such as polarssl and openssl".
This is not true. However, it is important to keep in mind that were it ever true it would be because of blatant negligence on the part of human actors.
It is neither obvious nor inevitable that a nuclear plant will ever be attacked digitally because a nuclear plant need not be networked - even internally.
It is neither obvious nor inevitable that a hydro dam will ever be attacked digitally because a hydro dam need not be networked - even internally.
With an open mind and some creativity this could be true even for things like air traffic control and the power grid. They don't need Internet access. They might not even need IP.
If any of these things are fragile to digital attacks it is because they were gratuitously made fragile.
Is it popularity or damage/$ that determines what is more dangerous?
Blatant negligence and human factors seems to me to be what to expect, rather than rare exceptions. — Well, not for nuclear plants. But for the power grid for example, and trains and cars and the water pipe system perhaps.
Minister Steur (Security and Justice) this monday said, representing the second chamber, that "laws that prohibit encryption are not desirable at this time". That doesn't retract their early statement, but I think it's an important nuance. Arguably, it might also just be political play to get some douchebag rightwing parties over the line. (dutch source http://tweakers.net/nieuws/107104/kabinet-beperking-van-encr...)
Similarly, in december, a law was passed that allows authorities to hack 'criminals' without a warrant. In many countries, (liberty) activists are criminals too.
That said, I still appreciate where things are going. Privacy is a very tough political climate and I think it's solid that we (the Dutch) take this standpoint. Baby steps.
I don't disagree with left parties policies - I am a Democrat, and would most likely for left-wing parties in most of Europe (or whoever is less xenophobic). I am against tyranny on the left or on the right. I don't like people who support the denigration / dehumanization / oppression of those who they disagree with and marginalize an entire group of people. I can cite you dozens of statements made by the likes of Jean-Paul Sartre, Arthur Scargill, Jan Myrdal, Doris Lessing, Andre Gide, Bertold Brecht, and other lesser known political leaders intellectuals in Western Europe (that is, the part not invaded by Soviets thanks to US intervention), that is supportive of Stalin / supportive of USSR. I am stating a fact, not using slurs.
I am also critical of the right (or anyone, really) that support dictatorial/oppressive governments in Latin America and the Middle East. I am pro individual freedom, liberty, and dignity. I am against people being enslaved either by their own state, or by an exploitative economy through the invisible chains of debt.
Also, the money going to OpenSSL and others is completely unrelated to the current encryption banning talks going on in the Netherlands. This is a great initiative that should be applauded.
I agree with your conclusion though, but I am very weary of the dutch MoD.
"At this time, there is no outlook on the general possibility to, for example via standards, weaken encryption products without compromising the security of digital systems relying on encryption. By for example introducing a technical point of access into a encryption product which would enable intelligences agencies to view encrypted files, digital systems could be rendered vulnerable to for example criminals, terrorists and foreign intelligence agencies. This would have negative consequences for the security of communicated or saved information, and the integrity of ICT-systems, which are increasingly of importance in the functioning of society." (second paragraph of 'Afweging en conclusie')
(in these debates, there is always an important question: what would Ivo have said? Luckily, somebody has already provided an answer: http://tinyurl.com/whatwouldivohavesaid)
For example in June has asked questions  about "the news that American intelligence agencies used vulnerabilities in encryption software" (specifically weak DH / Logjam).
If anything, this proposal has more to do with Logjam than with Diginotar. Not all too incidently, improving OpenSSL would do nothing to prevent another Diginotar from happening.
Who is the real "douchebag" in that case?
It's the reason I really don't like Hillary. I can put up with her economic and social positions but in my view she hits the tip top of the authoritarian graph and it scares me.
That the dutch intelligence services are now hampered by end-to-end encryption making the ISPs have no way to cooperate any more, is basically the problem of the intelligence services to solve, and not a legal problem. Hence, encryption stays in place.
File format error found at
SAXParseException: '[word/document.xml line 2]: unknown error', Stream 'word/document.xml', Line 2, Column 30060(row,col).
Great. Usually OOXML Word files at least open in LibreOffice, but this one seems to have some unsolvable weirdness. I don't get why they don't offer a PDF download — it, at least, is an open format that can be reliably opened on any OS. Or offer a plain text version, or simply post the paper on their website in HTML.
Bijna alle kamerstukken zijn als pdf terug te vinden. Zo te zien worden de recente eerst als doc gepubliceerd.
Apparently new documents can be posted as DOCX only (strange).
You are right to point out the open standard guidelines, but unfortunately, they are marked as comply or explain. This means that they are not mandatory if you have a valid reason not to be able to comply with them. In this case, the reason is probably "our civil servants are used to Microsoft's defaults", which is — as much as I disagree with this policy — probably enough to get away it.
This is the UK government advice. Hopefully it’ll percolate through other governments. https://www.gov.uk/service-manual/user-centred-design/choosi...
But I guess it is good to leave encryption strong, forget about mass surveillance and focus energy on individuals actually suspected of a crime.
The cynic in me thinks the reasoning was: "We need a European Google", "We see that Europeans distrust American companies because of NSA economic spying in the past", "Let's make the Netherlands more attractive for large European companies"... no Idealism involved.
Edit: Updated original post: This new law ("Wet Computercriminaliteit 3") has not been passed yet!
Imagine if the police had prior knowledge of a vulnerability in the computer system of a car, but did not act to protect the public. A few years later a criminal figure out the same vulnerability and causes a major car crash on a motorway and murder several people. I would view the police officer to be found liable under breach of duty, same as if they witnessed a crime and refused to act.
Under the same logic, if companies has a legal responsibility to protect their customers and provide safe products, and police officers has a professional responsibility to report crimes, then the police should be forced to act if they have confirmed information about a security vulnerability.
Since 1 January there is also a law in the Netherlands that requires companies to report any data leaks.
I was thinking about this when Anonymous "hacked" thousands of ISIS twitter accounts. On the one hand that saves Twitter from having to make a stand themselves - but if they didn't immediately plug those holes, they're leaving legitimate users at risk.
Also, one very bothersome side effect of government-sanctioned hacking is that governments have an incentive not to notify software vendors about vulnerabilities.
This seems to go against the Dutch Constitution, so hopefully people are fighting this.
In the EU, net contributors seem to have something awfully close to an effective veto regarding minor issues, so this is good news.
Do you have a source for this? I never got this impression. Some countries have proportionally large influence due to their size, namely France and Germany. Some others due to the high quality diplomats and politicians they send to Europe, such as Belgium and Italy.
Some countries actively sabotage their own influence in the EU, by showing nothing but hostility and obstruction (UK), or by using the EU as a kind of retirement plan for politicians and diplomats that failed domestically (Netherlands). Always echoing the German point of view should not be seen as "an effective veto", it is essentially an attempt to stay in favor with their formerly close, powerful friend to the east, who has been getting less and less interested over the years, as his attention shifts towards the East.
Hopefully they won't fund secret backdoors though :)
Yes, it may have bugs. Yes, the NSA may have tampered with the standards themselves (that everyone else must also implement, else risk compatiblity issues in some areas).
But there are no drop in alternatives that aren't based on the same codebase, and almost no one is using any alternatives: NSS (Mozilla's framework) is rarely used outside of Firefox, GnuTLS is rarely used, I've never heard of anyone using PolarSSL outside of very specific embedded projects, and LibreSSL (a OpenSSL fork) is being adopted only as a license-related political response, and BoringSSL is Google's response to the entire thing (their own OpenSSL fork that they control, to just ignore the entire political bullshit).
$ /usr/bin/ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8
> "... license politics reasons ..."
I'm not sure exactly what you mean by this?
I mentioned OpenBSD replacing OpenSSL with it simply because the "official" OpenSSH is now developed against it.
I'm not sure if LibreSSL is being used for the portable version yet but if/when that happens, I expect people will begin to "trust" it more, leading to more projects potentially deciding to also replace OpenSSL with LibreSSL (i.e. for valid technical reasons, not for "political" ones).
The announcement was that they are moving to Apache License 2.0, thus solving both issues. However, this move has not happened yet.
Something changed a while ago, my software stopped working with it, and I could only fix once I followed some LibreSSL guidelines. I thought it was this change, looks like I was wrong.
Firefox, Chrome on platforms other than Android, OSX, and iOS (although I think they have completed removal of the NSS interface and gone with OpenSSL on all platforms, now served by Google's own BoringSSL fork), the mod_nss module for Apache, some Java projects (including some from Redhat and Sun/Oracle) that don't want to use Java's own SSL API, all use NSS.
Unfortunately their deeds will be unsung.
seems ultimately the opposite of what you're talking about.